Firm To Release Database, Web Server 0-Days

krebsonsecurity writes "January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products, including MySQL, Tivoli, IBM DB2, Sun Directory, and a host of others, writes krebsonsecurity.com. From the blog: 'After working with the vendors long enough, we've come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called "responsible disclosure" policy,' Legerov said."

Re:Why not?

[HarrisonFisk]

The problem is that he isn't contacting the vendors in this case. He said that in the past he has tried contacting them (in the general sense, not these vendors specifically) and some of them didn't reply so from now on, all vendors are not going to be contacted.

I work for one of the projects affected and know that they did not contact us in this case. If he had, we would have happily fixed the issue within a day or two. Instead our users are being put on the line as dumb script kiddies try out their new exploit while we finish up the bug fix.